Create firewall rules by script

Roberto Bianchi · Nov 7, 2019, 1:31 PM

Hi to all,
I saw previous topic but I would like to know if with new version I can add rules from external application.
I woluld like to create a firewall rules that my SIEM known like an attack.

Can I do that?
Thanks
Roberto

NogBadTheBad · Nov 7, 2019, 1:34 PM

Wouldn't you be better installing something like Snort or Suricata and sign up to a paid subscription?

Roberto Bianchi · Nov 7, 2019, 1:36 PM

Hi,
i have an IDS/IPS system but I wuold like to do this by SIEM and PFsense if it possible.

Thanks

Konstanti · Nov 8, 2019, 6:06 AM

@Roberto-Bianchi
Hello
To dynamically add / remove rules to the firewall you need to use anchors

https://www.openbsd.org/faq/pf/anchors.html

PFSense has several anchors for this purpose
For example, the anchor "userrules"

# User-defined rules follow

anchor "userrules/*"

According to this principle, a bunch of Fail2ban+Packet Filter works

root@fr:/usr/local/etc/fail2ban # pfctl -a f2b/SSH -sr
block drop log quick proto tcp from <f2b-SSH> to any port = ssh
root@fr:/usr/local/etc/fail2ban # pfctl -a f2b/SSH -t f2b-SSH -Ts
   85.225.16.184
root@fr:/usr/local/etc/fail2ban #

jimp · Nov 8, 2019, 1:24 PM

There is no API for this (yet), though there is the easyrule script which may not help directly, but you could copy its code to potentially setup something.

Having an IDS inject rules is a fine idea in general, though. We have demonstrated this working in TNSR using its API combined with ERSPAN to feed packets to the IDS: https://github.com/Netgate/TNSR_IDS/